Legal claims defining the scope of protection, as filed with the USPTO.
1. A network interface device for providing a desired level of security for a protected host or workstation on a multi-level secure network, the device comprising: a network interface configured to connect operatively with a multi-level secure network over which data is exchanged among a number of hosts, and the network interface has a first Ethernet or medium access control (MAC) address corresponding to a guard control port of the interface, and a second Ethernet or MAC address corresponding to a guard data port of the interface; and a transport guard having (i) a control component coupled to the guard control port of the network interface for processing configuration data addressed to the first MAC address and for producing a corresponding security configuration output, (ii) a guard component coupled to the output of the control component and to the guard data port of the network interface, and (iii) a host interface coupled to the guard component and configured for exchanging data with the protected host; wherein the guard component of the transport guard is operative to pass inbound data addressed to the second MAC address from the guard data port of the network interface to the host interface of the transport guard, and to pass outbound data at the host interface to the guard data port of the network interface, according to the security configuration output from the control component of the transport guard.
2. A network interface device according to claim 1 , wherein the control component of the transport guard is configured to report an auditable event through the guard control port when the guard component determines that the inbound data fails to meet the security configuration produced by the control component.
3. A network interface device according to claim 1 , wherein the control component of the transport guard is configured to report an auditable event through the guard control port when the guard component determines that the outbound data fails to meet the security configuration produced by the control component.
4. A network interface device according to claim 1 , wherein the guard component of the transport guard is configured to remove security labels from the inbound data before passing the data to the host interface.
5. A network interface device according to claim 1 , wherein the guard component of the transport guard is configured to add security labels to the outbound data before passing the data to the guard data port.
6. A network interface device according to claim 1 , wherein the configuration data includes an integrity level.
7. A network interface device according to claim 1 , wherein the configuration data includes a security classification level.
8. A network interface device according to claim 1 , wherein the configuration data includes an access control table for identifying other hosts on the network with which the protected host may communicate according to a discretionary access control (DAC) policy of the network.
9. A network interface device according to claim 8 , wherein the access control table indicates whether or not the protected host may address outbound data to a given one of the other hosts on the network.
10. A network interface device according to claim 8 , wherein the access control table indicates whether or not the protected host may receive inbound data from a given one of the other hosts on the network.
11. A multi-level secure network, comprising: a number of workstations configured to exchange data with one another in accordance with a defined network security policy; a network interface device associated with each workstation, wherein each network interface device protects its associated workstation and has: (a) a network interface configured to connect operatively with the network, wherein the interface has a first Ethernet or medium access control (MAC) address corresponding to a guard control port of the device, and a second Ethernet or MAC address corresponding to a guard data port of the device; and (b) a transport guard having (i) a control component coupled to the guard control port of the network interface for processing configuration data addressed to the first MAC address and for outputting a corresponding security configuration, (ii) a guard component coupled to the output of the control component and to the guard data port of the network interface, and (iii) a host interface coupled to the guard component and configured for exchanging data with the protected workstation; wherein the guard component of the transport guard is operative to pass inbound data addressed to the second MAC address from the guard data port of the network interface to the host interface of the transport guard, and to pass outbound data at the host interface to the guard data port of the network interface, according to the security configuration output from the control component of the transport guard.
12. A multi-level secure network according to claim 11 , including a security manager workstation on the network for sending security configuration data to the network interface devices associated with other workstations on the network.
13. A multi-level secure network according to claim 11 , wherein the network interface devices are in the form of network interface cards (NICs).
14. A multi-level secure network according to claim 11 , wherein the control component of the transport guard is configured to report an auditable event through the guard control port when the guard component determines that the inbound data fails to meet the security configuration output by the control component.
15. A multi-level secure network according to claim 11 , wherein the control component of the transport guard is configured to report an auditable event through the guard control port when the guard component determines that the outbound data fails to meet the security configuration output by the control component.
16. A multi-level secure network according to claim 11 , wherein the configuration data includes an integrity level.
17. A multi-level secure network according to claim 11 , wherein the configuration data includes a security classification level.
18. A multi-level secure network according to claim 11 , wherein the configuration data includes an access control table for identifying other workstations on the network with which the protected workstation may communicate according to a discretionary access control (DAC) policy of the network.
19. A multi-level secure network according to claim 18 , wherein the access control table indicates whether or not the protected workstation may address outbound data to a given one of the other workstations on the network.
20. A multi-level secure network according to claim 18 , wherein the access control table indicates whether or not the protected workstation may receive inbound data from a given one of the other workstations on the network.
Unknown
March 26, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.